Zoom Will Fix the Flaw That Let Hackers Hijack Webcams

After initially saying that it wouldn't issue a full fix for a vulnerability disclosed on Monday, the video conferencing service Zoom has changed course. The company now tells WIRED that it will push a patch on Tuesday to alter Zoom's functionality and eliminate the bug. You should update Zoom now.

The Zoom controversy stems from the service's slippery video streaming settings that launch instantly on Macs when users join a call. Late Monday evening, the company published an extensive statement defending the practice and addressing other bugs found by security researcher Jonathan Leitschuh. But it declined to fully address the concern that an attacker could distribute a malicious Zoom call URL, trick users into clicking it, and then open a channel to their lives when their webcam automatically activated. Zoom originally said that it would adjust the settings by which a user chooses to launch video by default with every call.

That proposed tweak did little to mollify critics, who pointed to Zoom's casual use of a local web server on Mac computers. That feature allowed Mac users to join meetings seamlessly, but potentially created the risk of remote code executive attacks, and circumvented a Safari feature that exists precisely to expand privacy protections.

"I'm seriously considering blocking the port used for that web server," Mac researcher Thomas Reed told WIRED on Tuesday before Zoom announced the change. David Wells, a researcher who has evaluated Zoom security before, called Leitschuh's findings "downright creepy."

On Tuesday afternoon, company CEO Eric Yuan told Leitschuh and other researchers that Zoom would remove the local web server functionality it was using to bypass protections in Safari and facilitate instant meeting joins. Yuan shared the news in one of the Zoom meetings Leitschuh had created as a malicious proof of concept.

"He came in and chatted with us and apologized and made a full about face," Leitschuh says.

Zoom has since confirmed that Tuesday night's patch will totally remove the local web server functionality. The company says that it is "stopping use" of this feature going forward. Zoom users will receive a prompt in the Zoom desktop app to download the update. Additionally, the patch will add a menu option to enable full, manual uninstall of Zoom. This seems to be targeted at an additional concern about the local web server, which was that it persisted on users' devices even after they uninstalled Zoom. This meant that it could act as a sort of conduit, allowing the application to automatically reinstall itself if a user deleted the Zoom app and then later clicked a Zoom call URL.

Zoom is also moving ahead with the tweak it announced on Monday night that will give users more control over their default setting for auto-join video. That update will go out on July 12.

"On the one hand it took over 100 days for them to actually take this seriously and it required public outcry," Leitschuh says. "On the other hand it's a really good thing to see that a company can apologize for their mistakes and be willing to work with the community and researchers. It's now on all of us to hold them accountable."

In recounting its months-long interaction with Leitschuh, Zoom said in its Monday statement, "Our Security and Engineering teams engaged the researcher and were in frequent contact over the subsequent period. This engagement included disagreement about the severity of the meeting join concern. Ultimately, Zoom decided not to change the application functionality."

The company seems to have pivoted in just a few hours, though, perhaps because of unexpected uproar from users, even those outside the technical community.

Updated July 9, 2019, 6:00pm ET to reflect that Zoom’s patch is now live.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.